How Can We Make Sense of Cybersecurity Titles?
On this week's Defense in Depth, Hadas Cassorla, JD, MBA, CISSP , CISO, M1 , Renee Guttmann , former CISO of Coca-Cola, Time Warner, Campbells, and I all discuss cybersecurity titles.?
What's the difference between these leadership titles? Does anyone know what the difference is between a head of security, a vp of security, and a CISO? Do job responsibiilties change whether you're a security analyst or a threat engineer? Roles are confusing and so is the pay and responsibilities attached to them.
Why are cybersecurity titles an issue? This is not just an issue of vanity, but?"it directly impacts not only our ability to recruit, but also impacts the employee (compensation, professional development/career ladder) and in the end the businesses ability to retain talent," said Mathew Biby , CISO, Gogo | Satcom Direct .
OK, then what titles should we use? Try the NICE Cybersecurity Workforce Framework as created by NICCS (National Initiative for Cybersecurity Careers and Studies). They break it down with seven high level categories, and then specialty areas, and work roles within that. So, depending on the size of team you're going to build, you can drill down appropriately.
Can we truly achieve standardization in cybersecurity titles? Samuel R. is doubtful, he suggests "I would advocate for cybersecurity job titles, salaries, and job descriptions harmonization." Harmonization gets close to standardization, but doesn't necessarily require it.?And Gabe S. , CISO, PDC TECHNOLOGY, Inc. noted the reason we have so much confusion is that tech roles are constantly morphing unlike more classic positions like CEO, CFO, and secretary.
Regulated industries are in a better position to standardize.?"Regulated industries have stipulations for just using the term 'manager,'" noted? Edward Contreras , CISO, Real Healthcare Strategies For All, LLC . Those industries already there with standardization. Contreras recommends partnering with Legal and HR to standardize at least within your organization. But good luck having success across industries.?
You'll hear these segments on this episode of?Defense in Depth.?Listen.?Remember, we also have transcripts of all our episodes.
Thanks to all our other contributors (witting and unwitting): Tony M. and Kip Boyle .
Thanks to our podcast sponsor, IANS Research
Join us TOMORROW, Friday [10-28-22] for “Hacking API Security”
Think you know everything about API security? Of course you don't. That's why we're holding another?Super Cyber Friday?on this very topic. Join us for conversation tomorrow with our guests,? Karl Mattson , CISO,? Noname Security ?and JJ A. , CISO,? Compass .
Register?for Super Cyber Friday on October 28th, 2022
Thanks to our Super Cyber Friday sponsor, Noname Security
领英推荐
LIVE on Fridays! Cyber Security Headlines - Week in Review
We're live tomorrow and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Show is hosted by Richard Stroffolino and our guest will be William ?? Spice Gregorian . Participate live in the conversation on YouTube by registering here.?
And if you haven't done so already,?subscribe to the podcast or subscribe to the daily newsletter.
Thanks to this week's headlines sponsor, Votiro
Jump in on these conversations
"How does one move “silently” through a network without being detected?"?(More here)
"How common is imposter syndrome in this field?"?(More here)
"Guilty verdict in the Uber breach case makes personal liability real for CISOs"?(More here)
Upcoming Super Cyber Fridays
Save your spot and register for them all now!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com.
Interested in sponsorship, contact me,?David Spark.
great episode! 23 NYCRR 500 specifically requires covered entities to have a CISO. "Section 500.04 Chief Information Security Officer"
CISO | InfoSec | Risk Management | GRC | Consultant | Business Administration | Bridging security expertise with business reality.
2 年I think there is a natural conflict that happens with the perception of roles and responsibilities because each organization structure and environments are different. Some wear multiple hats, whereas others are providing specific services. The standardization will certainly help clear up things and help with understanding compensation as well. Applicability? How do we standardize. As with anything it will be difficult to get all the moving pieces together. I like the example you have already given. It has to start somewhere. As technology changes, the roles change and that is a challenge.
Global Chief Information Security Officer (CISO) | Advisor | Builder of Teams & Security Programs | GRC | Security Operations | Product Security |Transforms Security Challenges into Strategic Advantages
2 年David Spark, Hadas Cassorla, JD, MBA, CISSP, Renee Guttmann. Great discussion and a subject I am very passionate about. So how do we take the next step to move the needle as a security community? I am willing to collaborate with whomever to begin this evolution. We have to start somewhere, so who's in?
UNC Health, CISSP, CISM, CPHIMS
2 年We haven’t standardized any other IT job title yet, so why would InfoSec be any different? Case in point - what does “Systems Administrator” mean? Personally, it’s meant everything from “Tier 3 Desktop Support” to “Domain Admin” to “InfoSec Analyst” to “Network Analyst” to “If it has a power cord, it’s your’s”… Every organization is a different animal, so every org needs a different type of “veterinarian”.